TK Maxx data definitely compromised

Data breach worse than previously believed

Credit card data of T.K. Maxx customers in the UK have definitely been compromised by the massive data breach disclosed last month.

An ongoing investigation of the breach has shown that intruders gained access to the systems of T.K. Maxx parent and US retailer, TJX almost a full-year earlier than first thought – and compromised more payment card data than previously believed, the company said in a statement.

The investigation confirmed card transaction data involving T.K. Maxx in the UK and Ireland were also affected by the intrusion. Previously, the company had only said that it was "concerned" about this possibility.

In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the US, Canada, Puerto Rico as well as potentially the UK and Ireland.

"We are dedicating substantial resources to investigating and evaluating the intrusion," TJX's new chief executive Carol Meyrowitz said. IBM and General Dynamics, the two companies hired by TJX to shore up security in the wake of the breach, have committed "over 50 experts" to handle the probe, she said.

TJX still hasn't disclosed the number of shoppers that may have been affected by the breach, though many analysts believe the number to be in the millions. When it first announced the breach, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until December, seven months later.

The ongoing investigation found that intruders, in fact, gained access to the company's systems as far back as July 2005 and "on various subsequent dates in 2005".

Similarly, payment card data involving transactions over an 18-month period between January 2003 and June 2004 has also been compromised – as well as more drivers licence information than previously thought, the company said. Until now, TJX was only able to confirm the compromise of data involving transactions in 2005 and for the period between May 2006 and December 2006.

The fallout from the breach has been widespread, with banks and credit unions around the US, as well as in Canada being forced to block and reissue thousands of cards.